DATA PRIVACY

POLICY: This policy describes how company business and official data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.

Data Protection

a) To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

b) The Data Protection Act is underpinned by eight important principles. These say that personal data must:

i) Be processed fairly and lawfully

ii) Be obtained only for specific, lawful purposes

iii) Be adequate, relevant and not excessive

iv) Be accurate and kept up to date

v) Not be held for any longer than necessary

vi) Processed following the rights of data subjects

vii) Be protected in appropriate ways

Data Policy

a) This policy applies to:

i) The head office

ii) All branches

iii) All staff and volunteers

iv) All contractors, suppliers and other people working onsite

b) This policy helps to protect [CULINARY CULTURE] from some very real data security risks, including:

i) Breaches of confidentiality. For instance, information being given out inappropriately.

ii) Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.

iii) Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.

c) Everyone who works for or with [CULINARY CULTURE] has some responsibility for ensuring data is collected, stored and handled appropriately

Data Storage

a) These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller.

b) When data is stored on paper, it should be kept in a secure place where unauthorized people cannot see it.

c) These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:

i) When not required, the paper or files should be kept in a locked drawer or filing cabinet.

ii) Employees should make sure paper and printouts are not left where unauthorized people could see them, like on a printer.

iii) Data printouts should be shredded and disposed of securely when no longer required.

d) When data is stored electronically, it must be protected from unauthorized access, accidental deletion, and malicious hacking attempts:

i) Data should be protected by strong passwords that are changed regularly and never shared between employees.

ii). If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.

iii) Data should only be stored on designated drives and servers and should only be uploaded to approved cloud computing services.

iv) Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.

v) Data should never be saved directly to laptops or other mobile devices like tablets or smartphones.

vi) All servers and computers containing data should be protected by approved security software.

DATA BACKUP

POLICY: This describes the Backup, Restore and Recovery operating process for [CULINARY CULTURE].

Backup

a) Backup of all business-critical data must be retained so that all systems are fully recoverable. This may be achieved by using a combination of different categories with full, incremental, differential backups.

b) In case any application/data are not listed in the backup schedule; contact the support vendor to update the list.

c) The backup schedule needs to be submitted to the Corporate IT as compliance with the Backup plan every month.

d) One fully recoverable version of all the complete data must be stored in a secured location i.e. inside the fireproof safe or offsite location.

e) All backup cartridges that are not re-usable will be thoroughly destroyed. This is also applicable to USB / External HDD / CD & DVDs.

f) The Backup Policy owner is responsible to conduct backups as per planned defined by Corporate IT and in case of any change deviation form must be signed off and recorded for audit reference.

ICT Department Scope

a) To ensure that the online, offline and offsite data backup is in place.

b) To ensure that the user data is linked with their One Drive

c) To ensure Store IOT, are connected 24×7 internet connectivity for data transmission in an encrypted form.

d) All backups should be kept in safe custody with Location IT in-charge and Location Administrative Head.

Restore Process

User’s Data Backup

a) In case of loss of data, the user’s first Point of Contact is the IT Helpdesk. The monthly data will require a minimum of one-day notice before it can be restored to the user.

Restoration of Data in Case of failure

i) Inform Corporate IT immediately.

ii) Inform all users about the failure and simultaneously log a case to our IT support vendor.

iii) After informing the above, try and rectify the problem in-house byways of troubleshooting.

iv) Access and restore the data from the onsite storage must be done under the supervision of application vendors. All user’s data restoration must be done jointly.

v) If reformatting is required, make sure that the last good backup exists.

vi) Finally, access and restore data from the storage

DATA DISPOSAL & E-WASTE

POLICY: To ensure proper disposal of data and e-waste from activities conducted by or overseen by ICT staff. [CULINARY CULTURE] employees (e.g., staff, development employees) and other covered individuals (e.g., affiliates, vendors, independent contractors, etc.) in their handling of PII data, information, and records in electronic form during the course of conducting the business.

E-WASTE DISPOSAL

a) E-waste should be collected by the Stores department before handing over the new ones to the engineering / it or any end-user department. This is required as a control procedure.

b) Finance team to review the list and adjust entries in Fixed Assets for items that are disposed of under e-waste.

c) All equipment must have been approved for disposal by the DPO and CTO

d) Departments must remove hard drives from CPU’s and Servers before pick-up (applicable to Laptop, Desktop)

e) Departments must call the IT for schedule and plan the handover of the asset for disposal

DATA DISPOSAL

As [CULINARY CULTURE] will expand to other countries, we will ensure that the PII retention policies and compliance will be followed as per the country’s jurisdiction.

The sanitization method for the data depends on the information stored on the cloud, the age of the data (version). The following table should help decide how to handle a particular data

 

 

Getting a certificate of destruction from your cloud provider, if available

● Simply encrypting all of your data and then shredding the key as a means of ensuring the data is unrecoverable

● Define which tables from your POS Data Catalog contain data you want to erase

● Manage a queue of identifiers (such as unique customer identifiers) to erase

● Erase rows from your data lake matching the queued record identifiers

● Access a log of all actions taken by the solution

When you handle requests to remove data, you add the identifiers through the web interface or API to a Deletion Queue. The identifiers remain in the queue until you start a Deletion Job. The Deletion Job processes the queue and removes matching rows from objects in your data lake.

PII Hardcopy Disposal

Any PII data stored in hardcopy format will be destroyed post completion of the work.

Sensitive PII, including that found in hardcopy format, must be disposed of when no longer required, consistent with the applicable records disposition schedules. If destruction is required, take the following steps: Shred paper containing Sensitive PII; do not recycle or place in garbage containers.

The Team Lead is responsible for this task.

Personal Identity Information (PII) Security, Notification and Confidentiality Policy

POLICY: The scope of this policy is intended to be comprehensive and will include company requirements for the security and protection of such information throughout the company and its approved vendors both on and off work premises.

Purpose

[CULINARY CULTURE] recognizes its need to maintain the confidentiality of Personal Identifiable Information (PII) and understands that such information is unique to each individual. The PII covered by this policy may come from various types of individuals performing tasks on behalf of the company and includes employees, applicants, independent contractors and any PII maintained on its customer base. The scope of this policy is intended to be comprehensive and will include company requirements for the security and protection of such information throughout the company and its approved vendors both on and off work premises. Departments named in this policy have delegated authority for developing and implementing procedural guidance for ensuring that their departmental responsibilities under this policy are communicated and enforced.

Key Elements – PII Data

The following list contains examples of information that may be considered PII.

● Name, such as full name, maiden name, mother‘s maiden name, or alias

● Personal identification number, such as Aadhar Card, driver’s license number, taxpayer identification number, and financial account

● Address information, such as street address or email address

● Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well defined group of people

● Telephone numbers, including mobile, business, and personal numbers

● Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)

● Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information)

PII Retention

[CULINARY CULTURE] understands the importance of minimizing the amount of PII data it maintains and retains such PII only as long as necessary. A joint task force comprising members of the Legal, Finance, IT, Contracts and Human Resources departments maintains organizational record retention procedures, which dictate the length of data retention and data destruction methods for both hard copy and electronic records.

The Tax Act, 2017 (CGST Act) requires the taxpayer entity to maintain customers’ personal financial information relevant to the transaction with that customer for six years from the annual return’s due date (Section 36, CGST Act). The Companies Act, 2013 (Companies Act) and associated rules require companies to retain for a period of eight years all corporate records, including: Regulatory filings.

Employer’s Obligations Under the IT Rules and IT Act – As per Rule 5(4), employers may not retain information beyond when it may lawfully be used (sensitive information only). This is not the same as when the purpose of collection has expired and is a low standard of protection. An employer should retain employee personal data for at least three years, as the laws on limitation provide that civil legal proceedings may be initiated during such period.

As [CULINARY CULTURE] expands and offers its services to users in other countries, it will ensure that the PII retention policies and compliance will be followed as per the country’s jurisdiction.

PII Audit(s)

[CULINARY CULTURE] conducts audits of PII information maintained by the company in conjunction with fiscal year closing activities to ensure that this policy remains strictly enforced and to ascertain the necessity for the continued retention of PII information. Where the need no longer exists, PII information will be destroyed in accordance with protocols for destruction of such records and logs maintained for the dates of destruction. The audits are conducted by Finance, IT, Contracts and Human Resources departments under the auspices of the Legal department.

Data Breaches/Notification

Databases or data sets that include PII may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, the company will notify all affected individuals whose PII data may have been compromised, and the notice will be accompanied by a description of action being taken to reconcile any damage as a result of the data breach. Notices will be provided as expeditiously as possible and in no event be later than the commencement of the payroll period after which the breach was discovered.

The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“Cert-In Rules”) impose mandatory notification requirements on service providers, intermediaries, data centers and corporate entities, upon the occurrence of certain cybersecurity incidents. All Information about the breach is to be shared within 72 hours.

The occurrence of the following types of cybersecurity incidents trigger the notification requirements under the Cert-In Rules:

● Targeted scanning or probing of critical networks or systems

● Compromise of critical information or system

● Unauthorized access of IT systems or data

● Defacement of websites or intrusion into websites and unauthorized changes, such as inserting malicious codes or links to external websites

● Malicious code attacks such as spreading viruses, worms, Trojans, Botnets or Spyware

● Attacks on servers such as Database, Mail and DNS or network devices such as Routers

● Identity theft, Spoofing and phishing attacks

● Denial of service (DoS) and Distributed Denial of service (DDoS) attacks

● Attacks on critical infrastructure, SCADA systems and wireless networks

● Attacks on applications such as e-governance and e-commerce

All the notification will be routed through [CULINARY CULTURE] Grievance Office via email: [To be inserted]

The Legal / Grievance department will handle breach notifications(s) to all governmental agencies to whom such notice must be provided in accordance with time frames specified under these laws. Notices to affected individuals will be communicated by DPO or PII Officer after consultation with the Legal department and within the time frame specified under the appropriate law(s).

Data Access

[CULINARY CULTURE] maintains multiple IT systems where PII data may reside; thus, user access to such IT systems is the responsibility of the IT department. The IT department has created internal controls for such systems to establish legitimate access for users of data, and access shall be limited to those approved by IT. Any change in vendor status or the termination of an employee or independent contractor with access will immediately result in the termination of the user’s access to all systems where the PII may reside.

Data Access – Analytics

[CULINARY CULTURE] analytics are built for internal business usage and security, governance, and auditing policies to satisfy industry and geography-specific regulations while using the data has been followed. [CULINARY CULTURE] uses aggregated data for analytics, restricting access to columns, tables, or documents that may contain PII. Data must be anonymized before being used for business intelligence.

Regulatory Requirements

It is the policy of the company to comply with any Indian Cyber Act and GDPR. [CULINARY CULTURE] has delegated the responsibility for maintaining PII security provisions to the departments noted in this policy. [CULINARY CULTURE] Legal department shall be the sole entity named to oversee all regulatory reporting compliance issues. If any provision of this policy conflicts with a statutory requirement of international, federal or state law governing PII, the policy provision(s) that conflict shall be superseded.

Employee Contact

If an employee has reason to believe that his or her PII (please refer to what constitutes PII) data security has been breached or that company representative(s) are not adhering to the provisions of this policy, an employee should contact the company email at itsupport@subway.in or contact an HR representative at the employee’s location.

Confirmation of Confidentiality

All company employees must maintain the confidentiality of PII as well as company proprietary data to which they may have access and understand that such PII is to be restricted to only those with a business need to know. Employees with ongoing access to such data will sign acknowledgement reminders annually attesting to their understanding of this company requirement.

Violations of PII Policies and Procedures

[CULINARY CULTURE] views the protection of PII data to be of the utmost importance. Infractions of this policy or its procedures will result in disciplinary actions under the company’s discipline policy and may include suspension or termination in the case of severe or repeat violations. PII violations and disciplinary actions are incorporated in the company’s PII onboarding and refresher training to reinforce the company’s continuing commitment to ensuring that this data is protected by the highest standards.

Impact Level Definitions

The following describe the three impact levels—low, moderate, and high, which are based on the potential impact of a security breach involving a particular system: ―

The potential impact is LOW if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.

The potential impact is MODERATE if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.

The potential impact is HIGH if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

Incident Response for Breaches Involving PII – Internal

All Information about the breach is to be shared with affected parties within 72 hours. Management of incidents involving PII often requires close coordination among personnel from across the organization, such as the CIO, CPO, system owner, data owner, legal counsel, and public relations officer. These team will closely coordinate to ensure effective management when an incident occurs.

At [CULINARY CULTURE] we enforce that the incident must be reported via email itsupport@subway.in

The following information is helpful to obtain from a person who is reporting a known or suspected breach involving PII.

Person reporting the incident

● Person who discovered the incident

● Date and time the incident was discovered.

● Nature of the incident

● Name of system and possible interconnectivity with other systems

● Description of the information lost or compromised.

● Storage medium from which information was lost or compromised.

● Controls in place to prevent unauthorized use of the lost or compromised information.

● Number of individuals potentially affected.

● Whether law enforcement was contacted.

To meet this obligation, organizations should proactively plan their breach notification response. A breach involving PII may require notification to persons external to the organization, such as law enforcement, financial institutions, affected individuals, the media, and the public.

[CULINARY CULTURE] to include the following elements in their plans for handling breach notification:

Whether breach notification to affected individuals is required –

● Timeliness of the notification

● Source of the notification

● Contents of the notification

● Means of providing the notification

● Who receives the notification, public outreach response.

● What actions were taken and by whom.

Incident Response for Breaches Involving PII – CERT

[CULINARY CULTURE] HR and IT, Team representative, designated by the organization, will be responsible to communicate and report incident to CERT by filling up the [CULINARY CULTURE] Security Incident Reporting Form.

The form will be emailed to incident@cert-in.org.in

The Incident Response Process incorporates the Information Security Roles and Responsibilities definitions and extends or adds the following Roles.

• Incident Response Coordinator: The Incident Response Coordinator is responsible for assembling all the data pertinent to an incident, communicating with appropriate parties, ensuring that the information is complete, and reporting on incident status both during and after the investigation.
• Incident Response Handlers is [CULINARY CULTURE] Head of Operations, or outside contractors who gather, preserve and analyze evidence so that an incident can be brought to a conclusion.
• Law Enforcement includes the Cyber Police, and government agencies that present warrants or subpoenas for the disclosure of information. Interactions with these groups will be coordinated by [CULINARY CULTURE] Head Of Technology and Grievance Officer

[CULINARY CULTURE] will report and respond to incident in following phases

• Preparation includes those activities that enable the [CULINARY CULTURE] to respond to an incident: policies, tools, procedures, effective governance and communication plans. Pre because of implies that the affected groups have instituted the controls necessary to recover and continue operations after an incident is discovered. Post-mortem analyses from prior incidents should form the basis for continuous improvement of this stage.
• Detection is the discovery of the event with security tools or notification by an inside or outside party about a suspected incident. This phase includes the declaration and initial classification of the incident.
• Containment is the triage phase where the affected host or system is identified, isolated or otherwise mitigated, and when affected parties are notified and investigative status established. This phase includes subprocedures for seizure and evidence handling, escalation, and communication.
• Investigation is the phase where ISO personnel determine the priority, scope, and root cause of the incident.
• Remediation is the post-incident repair of affected systems, communication and instruction to affected parties, and analysis that confirms the threat has been contained.
• Recovery is the analysis of the incident for its procedural and policy implications, the gathering of metrics, and the incorporation of “lessons learned” into future response activities and training.

Escalation At any time during the incident response process, the Incident Response Coordinator and the Head Of Technology may be called upon to escalate any issue regarding the process or incident to [CULINARY CULTURE] Management.

Post-Incident Activity

As with other security incidents, information learned through detection, analysis, containment, and recovery should be collected for sharing within the organization and with the CERT agency to help protect against future incidents.

The incident response plan should be continually updated and improved based on the lessons learned during each incident.

Lessons learned might also indicate the need for additional training, security controls, or procedures to protect against future incidents.

Additionally, the organization should use its response policy, developed during the planning phase, to determine whether the organization should provide affected individuals with remedial assistance. When providing notice to individuals, organizations should make affected individuals aware of their options.

Right to access, erasure, and modification

[CULINARY CULTURE] retains PII in accordance with operating jurisdiction. EU residents can exercise their GDPR rights as defined in the Privacy Policy by contacting [CULINARY CULTURE]. Upon request, [CULINARY CULTURE] uses a combination of 3rd party tools to identify and isolate principal PII. [CULINARY CULTURE] then uses an internal tool to replace all PII to satisfy requests including bulk modification of PII, redaction, or a copy of the principal’s full PII from all data sources. In case of modification by a PII principal, [CULINARY CULTURE] will notify sub processors via API call to compliant subprocesses and notify all sub processors of the change via email as well.